debugging/troubleshooting IPSec one-way traffic tunnel
I'll put up a business network IPSec consists of a UC520 at the head end (Headquarters) and several routers Linksys WRV remotes nodes/network. I see that ISAKMP and IPSec SA on both ends and I ping the IP of the remote networks UC520 internal. However, I can not ping any other IP on the network of the company.
I see of "cry ips to show his" packages are décapsulés (remote business) but none are encapsulated (remote business). I can also see (from a traceroute) how remote business packages are sent to the default gateway of the UC520 to the Internet instead of being placed in the tunnel. This jives with what I see with ' sho ips cry her. "
I made sure to create an ACL for the NAT for corporate remote subnets are not translated, but I don't know what else to check. I tried to do a "debug IP packet detail xxx' with a corresponding company in remote traffic but the debug and ACL get no success.
Any other ideas?
Thank you
Diego
Well, looks like that your exemption of Nat does not work. Check 'show ip nat trans' confirm this when sending traffic.
Can you maybe post your config NAT (together)?
Tags: Cisco Security
Similar Questions
-
LAN - to - LAN 837 to 3000series one-way traffic
Hello
Not even sure that there is even a way traffic. The 837 is encryting and the 3000series is done by increments Rx but nowhere on decrypt it and Tx respectively.
Tracking guides and hub configuration cisco IOS religiously.
The 837 ipsec cypto debugs seems to show that SAS created - when they actually decide to show them selves on the console.
Routing is not a problem - unless you consider static routes on the 3000. Am I supposed to create a static route to send traffic to the LAN remote (837) on the public interface? Or is it not necessary to have an itinerary as SA definition will determine the tunnel to go down?
Unfortunately no other LAN-to-LAN tnnnels on 3000 to compare these questions and I have no laboratory.
Any help would be welcome. Of course, I can provide more information, all that is necessary. Am at my wits end with this one. So simple and yet not working - have to do something stupid.
Thank you
If the tunnel is under construction and your getting the traffic in one direction and not the other, it is usually the routing.
The 831 sends traffic to the 3000 and 3000 is received, ranging from your counters. The problem is probably that the hosts behind the 3000 do not know how to return to the LAN behind the 831. Your internal network behind the 3000 will need a route to the LAN 831 that points to the interface of the 3000. The 3000 justs needs a default gateway pointing out the public interface.
On the local network of 3000, if you have not all router internal and your interior hosts are directly connected to the same hub/switch interface private 3000, then each host will need a static route to the LAN 831 that points to the private interface 3000 (this is assuming of course that the 3000 is not the default gateway for hosts (, which is usually not).
Keep in mind that if you see not all TX packets on the 3000, then the 3000 is not even see packets of it is inside the hosts which are intended for the 831 LAN, check the local routing behind the 3000 to see what is happening.
-
VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network
Hello
I'm a little confused as to which is the problem. This is the premise for the problem I have face.
One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.
Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)
So essentially the encryption field is configured as follows:
access-list
line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
access-listline 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
access-listline 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173) Free NAT has been configured as follows (names modified interfaces):
NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP
the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202NAT (interface2) 0-list of access VPN-SHEEP
VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252
After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.
There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)
The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.
Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).
This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
MAC access listPhase: 2
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new streamPhase: 3
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.82.0.200 255.255.255.252 outsidePhase: 4
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:Access-group interface interface1
access-list extendedallow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
Additional information:Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 6
Type: INSPECT
Subtype: np - inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
Policy-map global_policy
class inspection_default
inspect the http
global service-policy global_policy
Additional information:Phase: 7
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:Phase: 8
Type: NAT-FREE
Subtype:
Result: ALLOW
Config:
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
Exempt from NAT
translate_hits = 32, untranslate_hits = 35251
Additional information:-Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
NAT-control
is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
static translation at 10.231.0.0
translate_hits = 153954, untranslate_hits = 88
Additional information:-Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (interface1) 5 10.231.191.0 255.255.255.0
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
dynamic translation of hen 5 (y.y.y.y)
translate_hits = 3048900, untranslate_hits = 77195
Additional information:Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1047981896 id, package sent to the next moduleResult:
input interface: interface1
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allowSo, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?
And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.
access-list extended
allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
current_peer: y.y.y.y#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.
Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)
If there is any essential information that I can give, please ask.
-Jouni
Jouni,
8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).
If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)
Marcin
-
VPN site to Site one-way traffic
Hi all
I set up a Vpn site-to site and everything works well in the remote site to the corporate site, but since the site of the company asa 5510, I can't access to the remote site asa 5505. I checked the logging on the SAA and I can see the packets being fallen but I can't find what I need to do to allow this traffic through. Here are most of my 5510 config, I'm sure it's something simple I'm missing, but I can't run it please help.
REMOTE network is 192.168.72.0
: Saved
: Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010
!
ASA Version 8.0 (5)
!
host name Casa
uk domain name
activate the encrypted password of VgZT0UwPdkSV9l7N
zlo5ImUVRkHl4lcl encrypted passwd
names of
name 192.168.103.14 description of Appliance CITRIX CITRIX Appliance
name 192.168.3.12 description villages villages
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP address x.x.x.123 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
192.168.3.254 IP address 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
IP 192.168.103.254 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa805 - k8.bin
boot system Disk0: / asa707 - k8.bin
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS server-group DefaultDNS
uk domain name
object-group network ExternalAccess
Description hosts allowed direct web access
network object-SVR-01 255.255.255.255
SVR GIS 255.255.255.255 network-object
host of network-object cient
host villages network-object
the ExternalAccessFromDMZ object-group network
Description hosts allowed direct web access to DMZ
CITRIX-device 255.255.255.255 network-object
network-object IRONPORT1 255.255.255.255
worker of the object-network 255.255.255.255
MitelUDPinternet udp service object-group
Description Mitel UDP services on the internet
20000-27000 object-port Beach
port-object eq sip
port-object eq 5064
MitelTCPinternet tcp service object-group
Description Mitel TCP services on the internet
port-object eq 2114
port-object eq 2116
port-object eq 35000
port-object eq 37000
port-object eq 3998
6801-6802 object-port Beach
port-object eq 6880
port-object eq www
EQ object of the https port
port-object eq 6800
EQ object Port 3478
port-object eq sip
EQ port ssh object
MitelTCPinternetOpt tcp service object-group
Description Mitel TCP optional services on the internet
port-object eq 3300
6806-6807 object-port Beach
36005 36005 object-port Beach
36005 36006 object-port Beach
EQ object Port 3478
port-object eq sip
MitelUDP2LAN udp service object-group
Description Mitel UDP for the local network of services
object-port range 1024-65535
port-object eq sip
MitelTCP2LAN tcp service object-group
Description Mitel TCP for the local network of services
port-object eq 2114
port-object eq 2116
port-object eq 35000
port-object eq 37000
port-object eq 1606
object-port 4443 eq
port-object eq 3998
port-object eq 3999
6801-6802 object-port Beach
port-object eq 6880
port-object eq www
EQ object of the https port
EQ object Port 3478
port-object eq sip
acl_outside list extended access permit icmp any any echo response
acl_outside list extended access allow all unreachable icmp
acl_outside list extended access permit icmp any any source-quench
acl_outside list extended access permit tcp any host Mail_Outside_AGH eq smtp
acl_outside list extended access permit tcp any host Mail_Outside_AGH eq https
acl_outside list extended access permit tcp any host x.x.x.123 eq ssh
acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh
acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8088
acl_outside list extended access permit tcp any host Citrix_Portal_outside eq https
acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8081
acl_outside list extended access permit tcp any host Mail_Outside_AVON eq smtp
acl_outside list extended access permit tcp any host Mail_Outside_AVON eq https
acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp
acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp
acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternet object-group
acl_outside list extended access permit udp any host teleworker_outside MitelUDPinternet object-group
acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternetOpt object-group
acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh
acl_outside list extended access permit udp any host ESX-PAL-01 eq ntp
acl_outside list extended access permit udp any host ESX-PAL-02 eq ntp
acl_outside list extended access permit udp any host ESX-PAL-03 eq ntp
inside_outbound_nat0_acl to access ip 192.168.1.0 scope list allow 255.255.255.0 172.30.100.0 inactive 255.255.255.224
inside_outbound_nat0_acl list of allowed ip extended access all 172.31.1.0 255.255.255.0
inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.103.0 255.255.255.0
inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0
inside_pnat_outbound list extended access allowed object-group ip ExternalAccess everything
acl_dmz list extended access permit ip host host IRONPORT1 Mail_Inside_AGH
acl_dmz list extended access permit udp host field of pal-svr-22 eq IRONPORT1 host
acl_dmz list extended access permit tcp host IRONPORT1 host pal-svr-22 eq 3268
acl_dmz list extended access permit udp host host IRONPORT1 ARM-SVR-01 eq field
acl_dmz list extended access permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268
acl_dmz list extended access permit udp host host IRONPORT1 Pal-Svr-17 eq field
acl_dmz list extended access allowed icmp host host IRONPORT1 Mail_Inside_AGH
access extensive list ip 192.168.103.0 acl_dmz allow 255.255.255.0 any
acl_dmz list extended access permit tcp host host CITRIX-device-CITRIXCSG-lan eq https inactive
acl_dmz list extended access permit ip any host CITRIXCSG-lan idle
acl_dmz list extended access permit tcp host IRONPORT1 eq Mail_Outside_AGH smtp
acl_dmz list extended access permit tcp host teleworker host 192.168.20.1 object-group MitelTCP2LAN
acl_dmz list extended access permit udp host teleworker host 192.168.20.1 object-group MitelUDP2LAN
dmz_pnat_outbound list extended access allowed object-group ip ExternalAccessFromDMZ all
access extensive list ip 192.168.103.0 dmz_nat0_inbound allow 255.255.255.0 192.168.3.0 255.255.255.0
dmz_nat0_inbound list of ip host 192.168.20.1 telecommuter host allowed extended access
access extensive list ip 192.168.21.0 inside_pnat_outbound_AVON allow 255.255.255.0 any
access extensive list ip 192.168.22.0 inside_pnat_outbound_AVON allow 255.255.255.0 any
access extensive list ip 192.168.23.0 inside_pnat_outbound_AVON allow 255.255.255.0 any
access extensive list ip 192.168.24.0 inside_pnat_outbound_AVON allow 255.255.248.0 all
inside_pnat_outbound_AVON to access extended list ip 192.168.32.0 allow 255.255.240.0 everything
access extensive list ip 192.168.48.0 inside_pnat_outbound_AVON allow 255.255.248.0 all
access extensive list ip 192.168.56.0 inside_pnat_outbound_AVON allow 255.255.252.0 all
access extensive list ip 192.168.60.0 inside_pnat_outbound_AVON allow 255.255.255.0 any
allow any scope to an entire ip access list
inside_nat_AVON_Marshall list extended access permit ip host Mail_Inside_AVON all
dmz_pnat1_outbound list of ip telecommuter host allowed extended access any
outside_1_cryptomap to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
logging e-mail notifications
uk address record
exploitation forest-address recipient [email protected] / * / critical level
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
management of MTU 1500
IP local pool vpnpool 172.31.1.1 - 172.31.1.254 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow no dmz echo
ICMP allow all dmz
ASDM image disk0: / asdm-625 - 53.bin
ASDM location SVR-01 255.255.255.255 inside
ASDM location svr-02 255.255.255.255 inside
ASDM location IRONPORT1 255.255.255.255 dmz
ASDM location 194.81.55.226 255.255.255.255 dmz
ASDM 255.255.255.255 inside server location
ASDM location CITRIX-device 255.255.255.255 dmz
ASDM group ExternalAccess inside
ASDM group dmz ExternalAccessFromDMZ
don't allow no asdm history
ARP timeout 14400
Global x.x.x.121 2 (outdoor)
Global 1 x.x.x.125 (outside)
Global Mail_Outside_AVON 3 (outside)
Global Mail_Outside_AGH 4 (outside)
Global teleworker_outside 5 (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 2-list of access inside_pnat_outbound_AVON
NAT (inside) 3 access-list inside_nat_AVON_Marshall
NAT (inside) 1 access-list inside_pnat_outbound
NAT (dmz) 0-list of access dmz_nat0_inbound outside
NAT (dmz) 4 access-list dmz_pnat_outbound
NAT (dmz) 5 access-list dmz_pnat1_outbound
static (inside, outside) tcp ssh Icritical ssh netmask 255.255.255.255 Icritical_Outside
static (inside, outside) tcp https Mail_Outside_AGH Mail_Inside_AGH https netmask 255.255.255.255
static (dmz, outside) tcp smtp smtp IRONPORT1 netmask 255.255.255.255 Mail_Outside_AGH
static (inside, outside) tcp https Mail_Outside_AVON Exchange_Inside_AVON https netmask 255.255.255.255
static (inside, outside) tcp smtp smtp Mail_Inside_AVON netmask 255.255.255.255 Mail_Outside_AVON
static (inside, outside) udp snmp Icritical snmp netmask 255.255.255.255 Icritical_Outside
static (dmz, outside) device-CITRIX-Citrix_Portal_outside netmask 255.255.255.255
static (inside, outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255
static (dmz, external) teleworker_outside netmask 255.255.255.255 teleworker
Access-group acl_outside in interface outside
Access-group acl_dmz in dmz interface
Route outside 0.0.0.0 0.0.0.0 X.X.X.254 1
Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
oner http 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
card crypto outside_map 1 set r.r.r.244 counterpart
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet timeout 5
SSH x.x.x.x 255.255.255.255 outside
SSH Mail_Inside_AGH 255.255.255.255 inside
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
prefer NTP server SVR - DC1 source inside
internal VPN group policy
attributes of VPN group policy
value 192.168.x.x 192.168.x.x WINS server
Server DNS value 192.168.x.x 192.168.x.x
enable IPSec-udp
value by default domain-ACE
username, password pmmPwcDD/inpnNfB VPN encrypted privilege 0
attributes of VPN username
Strategy-Group-VPN VPN
VPN Tunnel-group type remote access
General-attributes of VPN Tunnel-group
address vpnpool pool
Group Policy - by default-VPN
Group-tunnel VPN ipsec-attributes
pre-shared key *.
tunnel-group r.r.r.244 type ipsec-l2l
r.r.r.244 tunnel ipsec-attributes group
pre-shared key *.
by default-group r.r.r.244 tunnel-Group-map
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
inspect the sip
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:8360816431357f109b3c4b950d545c86
: end
This route is duplicated with the remote network
Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1
I suggest to make this more specific subnet or add something like
Route outside 192.168.72.0 255.255.255.0 outside_default_gateway_ip
Internal, if above not in fact help, put a trace packet to simulate traffic even that fails on the 5510.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/p.html#wp1878788
Kind regards
-
setting up the first star in a mesh network. VPN connects very well and there is a part of the traffic above him, however it looks like anything to get wrapped. I see eigrp and PNDH, try to go forward and backward, but neither made with great success. Any ideas where to look?
E - townInternet #show cry ipsec his
Interface: Tunnel0
Tag crypto map: addr Tunnel0-head-0, local 67.235.62.74protégé of the vrf: (none)
local ident (addr, mask, prot, port): (xx/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (xx/255.255.255.255/47/0)
current_peer xx port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 1646, #pkts decrypt: 1646, #pkts check: 1646
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorsendpt local crypto. : xx, remote Start crypto. : xx
Path mtu 1500, ip mtu 1500
current outbound SPI: 0x1DAF1EB4 (498015924)SAS of the esp on arrival:
SPI: 0x3E489DA4 (1044946340)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 3003, flow_id: FPGA:3, crypto card: head-Tunnel0-0
calendar of his: service life remaining (k/s) key: (4585669/53)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x1DAF1EB4 (498015924)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 3005, flow_id: FPGA:5, crypto card: head-Tunnel0-0
calendar of his: service life remaining (k/s) key: (4585672/53)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
E - townInternet #.Neil,
EIGRP retry limit is used when no complete PNDH was built.
You mean interface tunnel itself beat (going up/down)?
Marcin
-
How to set up a one-way IPSec-L2L tunnel
This may be a silly question, since VPN for communications between the parties of confidence and that most people would try to correct a unidirectional tunnel.
But I'm interested to transform a regular one-way only, tunnel that traffic to my side can initiate the tunnel.
Recently, we built this tunnel between our ASA5510 and ASA5510 of our biz partner to run critical applications on their web servers not connected to the Internet. I want to tie down so that they cannot launch the VPN. I have the crypto ACL set to limit to a port address, so they can only come from this port once the tunnel is established. We also have a personal firewall installed on each host.
Any idea on how to make the one-way tunnel and protect also us better once the tunnel is mounted?
Hello
You can use the following command:
defined card crypto seq - num connection-type name {only answer | only | two-way}
This command defines whether the tunnel is come only or single answer. If you set the tunnel on your side to come alone, the asa will never accept the installation of tunnel from your business partner. However, you can still start the configuration of the vpn tunnel.
Check:
http://www.Cisco.com/en/us/partner/docs/security/ASA/asa80/command/reference/C5.html#wp2152576
Even if the reference is to ASA8.0 I know it works for 7.2.x so
Hope this helps
Kind regards
Pieter-Jan
-
Traffic permitted only one-way for VPN-connected computers
Hello
I currently have an ASA 5505. I put up as a remote SSL VPN access. My computers can connect to the VPN very well. They just cannot access the internal network (192.168.250.0). They cannot ping the inside interface of the ASA, nor any of the machines. It seems that all traffic is blocked for them. The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN. It seems that the traffic allows only one way. I messed up with ACL with nothing doesn't. Any suggestions please?
Pool DHCP-192.168.250.20 - 50--> for LAN
Pool VPN: 192.168.250.100 and 192.168.250.101
Outside interface to get the modem DHCP
The inside interface: 192.168.1.1
Courses Running Config:
: Saved
:
ASA Version 8.2 (5)
!
hostname HardmanASA
activate the password # encrypted
passwd # encrypted
names of
!
interface Ethernet0/0
switchport access vlan 20
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.250.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
pager lines 24
Within 1500 MTU
Outside 1500 MTU
mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 10 192.168.250.0 255.255.255.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.250.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet timeout 5
SSH 192.168.250.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
Console timeout 0
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.250.20 - 192.168.250.50 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image
Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
value of server DNS 8.8.8.8
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
tunnel-group AnyConnect type remote access
tunnel-group AnyConnect General attributes
address pool VPN_Pool
tunnel-group AnyConnect webvpn-attributes
enable AnyConnect group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:30fadff4b400e42e73e17167828e046f
: end
Hello
No worries
As we change the config I would do as well as possible.
First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network
No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask
mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool
NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0
NAT (inside) 0-list of access NAT_0
Then give it a try and it work note this post hehe
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
We have an established ispec tunnel but it's not the traffic that goes. I see only my end and everything seems in good condition.
When I run a 'sh crypto ipsec his counterpart x.x.x.x"I can see that the encapsulated packets get but none become décapsulés.
Tracer package running watch also my traffic is allowed.
How can I know for certain that the issue is at the other end of the tunnel?
Hi Louis,.
If you see that your end is encapsulating packets from your end... then coming to tunnel and out with encapsulated... other peripheral end FW/VPN should receive it and décapsulent the same to send traffic to the destination... it's to go on traffic... the return package or the response packet will wrap again and send it to us , which will get opens and the applicant...
Here, you need to check on the other end of the firewall and see if it gets décapsulés and encapsulated in this way... that you may need to check the delivery for remote lan to the remote peer, NAT and ipsec rules policies matches, etc...
run a debug crypto ipsec 128 on your side to see if that gives a...
If you do all these step by step... no doubt, you can sort the question...
Concerning
Knockaert
-
One way or another on my email print size has decreased to the point I can hardly read it.
One way or another on my email print size has decreased to the point I can hardly read it. Can any of you tell me please what keys hold and scroll to get the largest print size. Thank you very much.
original title: Email printing sizeSorry, but being the Webmail of Yahoo leaves me without a clue. Maybe Internet Explorer forum or Yahoo support might be more useful.
Internet Explorer forums
http://answers.Microsoft.com/en-us/IE -
Hello
We have two expressways and we have received a report of a company, call one of our sites had issues with one-way video. The appellant could not see the person they had composed, but they could see the appellant. Audio was OK. They were ordered to place a new call through our other expressway and all audio and video works just fine. So, I'm trying to understand if there is a difference between highways and why this happens. They run every two X8.1.1. The strange thing is that we only received from an enterprise report then having this problem through this "faulty" highway is us or them? Apparently, they do not have problems with one another that they make calls...
Looks like maybe it's time to collect newspapers... but everyone else encountered this? No I well confused everyone :)
Thank you!
In general I really wouldn't expect things to need to a few reboots to register.
Well sure a typical tech & response of the TAC will be "upgrading to the last" which I also recommended,.
but your symptoms still its a bit sketchy.
Its a good start to check if your firewall/network/dns /... are ok as well. A lot of questions
are hidden there. It is difficult to see the full extend of here.
Please get some internal or as a good Cisco partner or network resources.
And Yes, look in the upgrade to CUCM!
But the network / the environment should still be ok for that as well :-)
Please note the messages with the stars below and define the thread if it is a response.
-
Is there one way other than to_char to get the month of the date field
Is there one way other than to_char to get the month of the date field
Hello
raj4tech wrote:
Is there one way other than to_char to get the month of the date field
EXTRACT is one:
SELECT INTERESTED (SYSDATE MONTHS) AS curr_month
DOUBLE;
-
Is it only a one-way sync?
It does not appear the changes I do either Illustrator or Indesign gets returned to the application? It would be really great. Maybe I'm not saving correctly? In any case, looks very promising!
J.
It is one-way. The application of the model is to make a model, a "global," sketching a layout.
The file is sent to InDesign/Illustrator/Photoshop for the realization of the project.
He actually quite brilliantly designed and implemented, especially for a 1.0 release.
-
In the bpel process one-way transaction management
Hello
I created a one-way bpel process with oneWayDeliveryPolicy property - property Sync and transaction - required. When I exposed this service as a SOAP service, I see well The Participation of Transaction in the Web Service adapter in the way of exposed Services configured as EVER. Is this to say that BPELCallee would not participate in the same transaction as the appellant BPEL?
AdityaHello
Properties refer to the support of different transactions "contexts", as you can see in the documents below. The bpel.config.transaction refers to the semantics of Transaction BPEL Process Manager, while the 'Participation of the operation' refers to WS-AT , which provides interoperability of transaction between Oracle WebLogic Server and transaction of other providers services... I've never tested it myself, but I guess that if you process BPEL transactions, the bpel.config.transaction will prevail...
http://docs.Oracle.com/CD/E23943_01/dev.1111/e10224/soa_transactions.htm#CHDEHCFE
http://docs.Oracle.com/CD/E23943_01/dev.1111/e10224/sca_bindingcomps.htm#SOASE86071See you soon,.
Vlad -
Configuration very base one-way Golden Gate
Version of DB: Oracle 11.2.0.3
Golden Gate version: 11.2 (last one dated September 22, 2012)
Platform: Solaris x 86 64-bit
Currently learning Golden Gate by googling and I'll install Golden Gate for the first time.
That's what I'm planning.
I intend to set up a very basic one-way GG, where in SCOTT and HR in source DB schemas is replicated in the target DB.Source DB : fncdev Target DB : sgntgt What needs to be replicated : SCOTT and HR schemas from source has to be replicated to Target ( Unidirectional )
I would like to know 2 things.
1. what should be the content of the parameter file?
2. after have I properly configure GG, what would be the output of command all THE INFO in the source and target database-- Source database GGSCI > info all -- Target database GGSCI > info all
Basic extract and replicat content parameter of the file.
Extract E_TEST1
SETENV (ORACLE_SID = OGGTEST)GGADMIN username password *.
Exttrail/goldengate/gg_trail/trail/test/and-Add below lines only if DDL replication is configured.
-The DOF ARE MAPPED
DDLOPTIONS - ADDTRANDATA, REPORTTABLE HR.*;
TABLE SCOTT.*;
-------------------------------------------------------------------------------------------------REPLICAT R_TEST1
SETENV (ORACLE_SID = OGGTEST)GGADMIN username password *.
ASSUMETARGETDEFSDISCARDFILE oragg/11.1/dirrpt/R_TEST1.dsc, APPEND, 1024 MEGABYTES
MAP HR.*, TARGET HR.*;
MAP SCOTT.*, TARGET SCOTT.*;I hope that these samples help!
Kind regards
RB
Maybe you are looking for
-
DocsToGo App update deleted file recovery Options?
Hello Complete the last update DocsToGo downgraded my version of the "free" version, apparently, there is a more recent version of the premium they want to raise more money for. My real concern is that it seems that when I did the update all my file
-
I changed the forwarding to one of my areas address a week or two ago. When I go on this site on my laptop (on Firefox), it pulls to the right address. On my PC, the old site is one that shot of Firefox in again, when I go on Internet Explorer on my
-
photos on the computer, I've not saved.
IM, find the photos on my laptop that I have not downloaded, I think there is Facebook for most random friends and images just randomly, how they arrived on my laptop. ?
-
Windows Help and Support will not start.
My brother is running windows Vista, and the application help and Support Windows will not start. The exact wording is: "Help and Support could not start. For more information, contact your system administrator or visit http://windowshelp.microsoft
-
does anyone know recall of laptop batteries Message edited by ggrind57 on 05/18/2009 06:49